3078bfd761b290630321b44bf7e068922cb3ed191c98785d9f6048e5d342e346

Analysis

max time kernel
130s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
Size

1.2MB
MD5

ceca87332b6baef1d4362835c645fde4
SHA1

42e1397a1919374ca330e89c56e950be9774a7f1
SHA256

3078bfd761b290630321b44bf7e068922cb3ed191c98785d9f6048e5d342e346
SHA512

12ad155df88d18bc250bdca709d63e2615316d046bcf8fdd9e0daab0f1d71d87e91992d4fb502d7131de061540429ad687652e05cda59733ba2e1c0d8f814714
SSDEEP

24576:RbndcEBtMIgeOZ+FzZ5flLBVv0p8o30k65zQtqBG3G3ndFBex92JeDty/IZs:tndJBth/t59Fp9aDiQc6YdFBex92Jep8

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4432	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tpgenlic	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
File created	C:\Windows\SysWOW64\wmkawe_240647625.data	rundll32.exe
File created	C:\Windows\System32\TPPCOIPW32.dll	explorer.exe
File opened for modification	C:\Windows\System32\TPPCOIPW32.dll	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\notepad_240647421.exe	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2584	PING.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acb8efc4ce8fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1af2c4ce8fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d944bbc4ce8fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000502338c4ce8fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b05e33c4ce8fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6a5dcc4ce8fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ee601c6ce8fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000515ad682100073797374656d33320000420009000400efbe874f7748515ad6822e00000000000000000000000000000000000000000000000000514bbc00730079007300740065006d0033003200000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 560031000000000000000000100057696e646f777300400009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2584	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3672	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	772	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	772	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
228	rundll32.exe
228	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
3672	explorer.exe
3672	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4432	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	89
PID 1692 wrote to memory of 4432	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	89
PID 1692 wrote to memory of 4432	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	89
PID 4432 wrote to memory of 396	4432	rundll32.exe	90
PID 4432 wrote to memory of 396	4432	rundll32.exe	90
PID 4432 wrote to memory of 396	4432	rundll32.exe	90
PID 1692 wrote to memory of 5028	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	94
PID 1692 wrote to memory of 5028	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	94
PID 1692 wrote to memory of 5028	1692	2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe	94
PID 5028 wrote to memory of 2584	5028	cmd.exe	96
PID 5028 wrote to memory of 2584	5028	cmd.exe	96
PID 5028 wrote to memory of 2584	5028	cmd.exe	96
PID 772 wrote to memory of 2364	772	SearchIndexer.exe	99
PID 772 wrote to memory of 2364	772	SearchIndexer.exe	99
PID 772 wrote to memory of 3000	772	SearchIndexer.exe	100
PID 772 wrote to memory of 3000	772	SearchIndexer.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-08_ceca87332b6baef1d4362835c645fde4_icedid.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\appsoft\\install32.dll,installsvc installtrojan
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start C:\Windows\system32
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\delself.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3968

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\appsoft\install32.dat

Filesize
279KB

MD5
02adb5a63d5d4fa74ddcc9e3b6976624

SHA1
cbb6b7e8e537dad3892361f26837396ea9695848

SHA256
d40e9f8176766b4a31ac9807837c3be0e957b755b6f3dd0eb8caf44aeb032060

SHA512
d3458c37c9892868e63dddadf26686ba30751a40bf529fc51df0d936fcede8145446a611a82e737ee36adf55b48f73f3a72f8ce381fc880a879fec23b9c1592a

Download Submit
C:\ProgramData\appsoft\install32.dll

Filesize
52KB

MD5
b39caefae13d0dc0344380b9b19c33c4

SHA1
6fe41d9026112599721916a251169ca360cc18e8

SHA256
766cee16390c18a85fb3ec9b740986c8ab022cbc35660ff60fba6e72050d417c

SHA512
76136b62ebfd8c969a6bf97c6e76127b67697ec0c7da1068c9951e6be4f8c8960d57103ad429f91ddc43702debbca069ba32ac2b6c179902111f339e7090e02a

Download Submit
C:\ProgramData\appsoft\install64.dll

Filesize
66KB

MD5
f272c73937cc5ef633dfcce3f118c6e0

SHA1
0cd50cce9735baadb376ea5a7102123a7ab1c390

SHA256
242cfd9271d9b6b15128cbbd6e000ecdbce1bb6e130991cb2b8d40f1751483cc

SHA512
309d7caaf3c71e06288fb5d89749e28b6328262522d0524fc6082458ac146ec7014bfc4463022259d478eb8a9f97548489f014d6e2f8f180d5f047908197ee06

Download Submit
C:\ProgramData\resmon.resmoncfg

Filesize
1KB

MD5
8f490dc7ec6782d4fd16f67c1df1c5f3

SHA1
038e54e03f3b8faf60c69a6d4c073df99bcb5953

SHA256
b448c3c879a662e82f1e9dca21c53abd2c0bd2f7aab1631918a04e910e41e5ed

SHA512
f1e9ab048bf6ea22f9d23d080ba10b7dcf7b395f09d4f32e39dbb9f03ab75ce61508b449f4d01e9c45dd236f1f43fc394ebd8facf02089925ef3acae55deaa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
307B

MD5
ee84b4ec9e7d5d14f725ba596455147f

SHA1
5f9e205ffb52d2293821524be39a0d165dfe6a6c

SHA256
e9b25efc10a6dea19e2b88a425f7ebcaaff90cebab175e8a1f12a2017892ba1d

SHA512
0c1875f2c8c447adec41da1d5a4a457a35a05be8505b4bc302967843da793e5689ad9e884c727fbfe5504b80e4e1d231e4e08bbe0f43799c64c9b410b31cdac6

Download Submit
memory/772-38-0x0000018CB7FA0000-0x0000018CB7FB0000-memory.dmp

Filesize
64KB

Download
memory/772-74-0x0000018CBDCB0000-0x0000018CBDCB8000-memory.dmp

Filesize
32KB

Download
memory/772-70-0x0000018CBC590000-0x0000018CBC598000-memory.dmp

Filesize
32KB

Download
memory/772-54-0x0000018CB81D0000-0x0000018CB81E0000-memory.dmp

Filesize
64KB

Download
memory/1692-2-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1692-1-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3000-83-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-90-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-100-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-104-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-76-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-77-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-78-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-79-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-80-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-81-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-82-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-105-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-86-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-87-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-85-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-89-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-91-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-101-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-88-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-84-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-92-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-93-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-94-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-95-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-97-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-96-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-98-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-99-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-102-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/3000-103-0x0000023EDC860000-0x0000023EDC870000-memory.dmp

Filesize
64KB

Download
memory/4432-32-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/4432-30-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/4432-29-0x0000000001F30000-0x0000000001F76000-memory.dmp

Filesize
280KB

Download
memory/4432-31-0x0000000002140000-0x000000000217E000-memory.dmp

Filesize
248KB

Download
memory/4432-130-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/4432-131-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download